Home Explore Blog Models CI



kubernetes
2nd chunk of `content/en/docs/tasks/administer-cluster/ip-masq-agent.md`
77fa1cae1a40a345c54374d61135e9be797f2de6d19ccb3f0000000100000a37
![masq/non-masq example](/Users/baehyunsol/Documents/Rust/ragit/sample/kubernetes/./images/docs/ip-masq.png)

The agent configuration file must be written in YAML or JSON syntax, and may contain three
optional keys:

* `nonMasqueradeCIDRs`: A list of strings in
  [CIDR](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) notation that specify
  the non-masquerade ranges.
* `masqLinkLocal`: A Boolean (true/false) which indicates whether to masquerade traffic to the
  link local prefix `169.254.0.0/16`. False by default.
* `resyncInterval`: A time interval at which the agent attempts to reload config from disk.
  For example: '30s', where 's' means seconds, 'ms' means milliseconds.

Traffic to 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 ranges will NOT be masqueraded. Any
other traffic (assumed to be internet) will be masqueraded.  An example of a local destination
from a pod could be its Node's IP address as well as another node's address or one of the IP
addresses in Cluster's IP range. Any other traffic will be masqueraded by default. The
below entries show the default set of rules that are applied by the ip-masq-agent:

```shell
iptables -t nat -L IP-MASQ-AGENT
```

```none
target     prot opt source               destination
RETURN     all  --  anywhere             169.254.0.0/16       /* ip-masq-agent: cluster-local traffic should not be subject to MASQUERADE */ ADDRTYPE match dst-type !LOCAL
RETURN     all  --  anywhere             10.0.0.0/8           /* ip-masq-agent: cluster-local traffic should not be subject to MASQUERADE */ ADDRTYPE match dst-type !LOCAL
RETURN     all  --  anywhere             172.16.0.0/12        /* ip-masq-agent: cluster-local traffic should not be subject to MASQUERADE */ ADDRTYPE match dst-type !LOCAL
RETURN     all  --  anywhere             192.168.0.0/16       /* ip-masq-agent: cluster-local traffic should not be subject to MASQUERADE */ ADDRTYPE match dst-type !LOCAL
MASQUERADE  all  --  anywhere             anywhere             /* ip-masq-agent: outbound traffic should be subject to MASQUERADE (this match must come after cluster-local CIDR matches) */ ADDRTYPE match dst-type !LOCAL

```

By default, in GCE/Google Kubernetes Engine, if network policy is enabled or
you are using a cluster CIDR not in the 10.0.0.0/8 range, the `ip-masq-agent`
will run in your cluster. If you are running in another environment,
you can add the `ip-masq-agent` [DaemonSet](/docs/concepts/workloads/controllers/daemonset/)
to your cluster.

<!-- steps -->

## Create an ip-masq-agent

To create an ip-masq-agent, run the following kubectl command:
Title: IP Masquerade Agent Configuration and Default Rules
Summary
The IP Masquerade Agent's configuration file is written in YAML or JSON and supports three optional keys: `nonMasqueradeCIDRs` (list of CIDR ranges to exclude from masquerading), `masqLinkLocal` (boolean to enable/disable masquerading of link-local traffic), and `resyncInterval` (time interval for reloading config from disk). Traffic to 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 ranges is not masqueraded by default, while all other traffic (assumed to be internet-bound) is. The default iptables rules applied by the agent are shown. In GCE/GKE, the agent runs if network policy is enabled or if the cluster CIDR is outside the 10.0.0.0/8 range. In other environments, a DaemonSet can be added to the cluster to run the agent.